Is it possible to forward traffic from a port to another out-of-the-box?

I have an Oracle dbms on a remote linux machine (aws linux, should be similar to rhel).

Unfortunately the network I'm in only allows outgoing traffic to port 80,443 and 22.

As we are talking about a test machine I'd like to make a setup so that each incoming traffic on the port 80 is immediately forwarded to the port 1521.

I cannot use an http proxy as the traffic would be indeed the custom oracle protocol traffic on the port 1521, but I heard that linux allows to simply forward in an out-of-the-box way. Could you tell me how to do this? Thanks

Phate

Posted 2018-06-19T20:46:05.980

Reputation: 211

You should be able to do this out of the box with netfilter (iptables). But I'm not familiar with the exact command. – Cliff Armstrong – 2018-06-20T03:44:01.307

Answers

One way to do it (unfortunately not 'out of the box' as you mention) is to use a program called socat. It's accessible in most package repos, so you could use yum install socat in your scenario (on Debian, apt install socat works).

The command used is socat tcp-listen:[public accessible port],reuseaddr,fork tcp:localhost:[actual port]. In your case, it would be sudo socat tcp-listen:80,reuseaddr,fork tcp:localhost:1521. (Note that you might need superuser privileges depending on your configuration.)

For more answers, you can look here.

Breq16

Posted 2018-06-19T20:46:05.980

Reputation: 198

Fair warning, I'm not expert with netfilter (iptables).

Any respectable Linux server distro should have netfilter installed and enabled in it's kernel. Netfilter allows you to route, block, and otherwise manipulate packets entering and leaving your system. Try running this as root on the server machine:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 1521

You may have to change eth0 to the correct device name for the server's LAN adapter. This should cause any packets coming in on port 80 to be received by Oracle DBMS listening on port 1521.

I went ahead and looked up what these options do (because I'm not super familiar with managing netfilter by hand). Leme break it down:

-t nat -A PREROUTING

This selects the NAT table and appends (-A) the new rule to the PREROUTING chain of the NAT table. Generally, when you're redirecting from one port to another, that belongs in the NAT table. The PREROUTING chain happens very early when in Netfilter's processing of incoming packets. It's the very first chain for incoming packets, typically.

-i eth0 -p tcp -dport 80

These are the filter portion of the rule. We are telling it what interface (-i) and protocol (-p) you want this rule to affect packets on. In this example, we are creating a rule for tcp traffic on interface eth0. We are also telling it what destination port (-dport) to look for in the packets... in this case packets with a destination port of 80 (tcp).

When you try to connect to tcp port 80 on the server with the Oracle DBMS the tcp packets your machine sends will have a destination port of 80 in their headers.

--j REDIRECT --to-ports 1521

This is the meat of the rule. Here you are telling it that packets that match the filters above are to be redirected (--j REDIRECT) to port 1521 (--to-ports 1521). When the netfilter is on the same system as the application you want to redirect traffic to you use REDIRECT. When the application is on another server you would use DNAT instead (and specify both IP and port).

Please let me know if this works.

These settings are not persistent; to make them persistent, I would suggest that you look into installing iptables-persistent. You can find more information here on StackOverflow.

Cliff Armstrong

Posted 2018-06-19T20:46:05.980

Reputation: 1 813

I will try right away thanks! Is this setting persistent or would it be lost after restart? In the first case could also tell me how to roll it back? – Phate – 2018-06-20T06:54:15.273